Avoid undefined behavior in get_vendor_ie()

This might be called with ies == NULL and for_each_element_id() would
try to calculate NULL + 0 in that case. That would be undefined
behavior. Avoid that by checking for ies == NULL just like the other
get_ie*() functions already did.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 14750b4811f383e0a8bb8d2143e0b76555a3dbcf..1d28437fe638325e51cb70cb8214a550f349fcc7 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -2570,6 +2570,9 @@ const u8 * get_vendor_ie(const u8 *ies, size_t len, u32 vendor_type)
 {
        const struct element *elem;
 
+       if (!ies)
+               return NULL;
+
        for_each_element_id(elem, WLAN_EID_VENDOR_SPECIFIC, ies, len) {
                if (elem->datalen >= 4 &&
                    vendor_type == WPA_GET_BE32(elem->data))